Seems like the trust level of 'curl http://get | gpg --verify | sh' and 'curl https://get | sh' is about the same.
@evanphx data-at-rest vs data-in-motion. Attacks against the latter are easier
-
-
@bascule The gpg key being at rest and a returned https key being in motion? -
@evanphx data-at-rest can be signed by an offline key (e.g. Yubikey). The best data-in-motion can provide is something like an (online) HSM -
@bascule Sure, makes sense. Much harder to forge the gpg-signed script. -
@evanphx yeah, it's been a fun year in attacks on TLS -
@bascule that's putting it mildly.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.